Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Analog the Fix For Cyber Terrorism?

Posted by Unknown on from the security-through-obsolescence dept.

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests." Or maybe you could isolate control systems from the Internet.

4 of 245 comments (clear)

  1. Re:sure, no problem by phantomfive · · Score: 4, Interesting

    said the person volunteering to get up at 3 am to go to the office to reset the a/c system.

    I can't speak for everyone, but I would rather pay extra for someone to be willing to do that (or do it myself, it shouldn't be a common situation) before I connect important systems to the internet.

    Having an air gap isn't a perfect solution, but it makes things a lot harder for attackers.

    --
    "First they came for the slanderers and i said nothing."
  2. Re:sure, no problem by mlts · · Score: 5, Interesting

    As a compromise, one can always do something similar to this:

    1: Get two machines with a RS232 port. One will be the source, one the destination.

    2: Cut the wire on the serial port cable so the destination machine has no ability to communicate with the source.

    3: Have the source machine push data through the port, destination machine constantly monitor it and log it to a file.

    4: Have a program on the destination machine parse the log and do the paging, etc. if a parameter goes out of bounds.

    This won't work for high data rates, but it will sufficiently isolate the inner subsystem from the Internet while providing a way for data to get out in real time. Definitely not immune to physical attack, but it will go a long ways to stopping remote attacks, since there is no connections that can be made into the source machine's subnet.

  3. Re:sure, no problem by thegarbz · · Score: 4, Interesting

    This is why security should be a system and not an airgap. The idea that a computer should not be on the internet and patting yourself on the back for the idea and calling it a job well done is almost becoming a slashdot meme.

    Never underestimate what bored shift workers do during night shift. We had one group of people figure out how to watch a divx movie on the screen of an ABB Gas Chromatograph.

    The problem is more social than technological.

  4. @ CGordy - Re:sure, no problem by nukenerd · · Score: 4, Interesting

    I am a nuclear power station engineer, in fact I am in line of signing off everything that might affect plant safety. I recognise most of what you say, such as the plant not relying on any one safety system, but on two or even three (depending on potential severity) independent and differently designed control systems (not counting the human watchkeepers) - the jargon being "redundancy and diversity". An earlier poster implied that a digital system would save people being called out of bed at 3 am for a plant event, but on my nuclear plants this would happen anyway. The station manager would certainly be called up for a plant trip (at the very least because he would want to know about it), as would several other personnel, even though safe shut-down would not depend on their presence as it would be done automatically anyway.

    However, the plant operators are engineers (this is the UK) and the senior ones and fast-track juniors have degrees (though a degree does not mean so much these days), even though the Operating Department is separate from the Engineering Department. Personnel do move from one to the other, and it is expected that even senior management will have had at least a few months experience "on the desk" (ie in the Control room).

    There is no way whatsoever, no-how, any-which-way-but-loose (how else can I say it?) that these sysems would have any connection to the outside world or even within the plant itself to other than to the essential control panels.

    There is however a problem with modern "smart" devices such as thermocouple local amplifiers/transmitters with microchips in them. This is that we don't always know how they are programmed. I am not talking about malware, but simply the programmer making errors (or well-meaning assumptions) such as buffer overflow after a certain future date. For this reason we prefer the old-fashioned analog versions of devices at this level.